What is FormBook? New malware hits defense, aerospace and manufacturing firms in US and South Korea

The data-stealing malware has been advertised in a number of hacking forums since early 2016.

Hackers have been targeting defense, aerospace and manufacturing firms in the US and South Korea with the FormBook malwareiStock

Security researchers have discovered a new data-stealing malware called FormBook that has been targeting aerospace companies, defense contractors and some manufacturing firms in the US and South Korea over the past few months. Researchers at FireEye said hackers have been using various methods to distribute the malicious payload via email campaigns in the US including malware-laced PDF, DOC or XLS attachments.

Threat actors have also been using malicious archive files such as ZIP, RAR, ACE and ISOs with executable payloads for firms in the US and South Korea.

FormBook is a type of data-stealing and form-grabbing malware that has been advertised in a number of hacking forums since early 2016 that works on "all versions of Windows". According to an underground advertisement, its authors described FormBook as an "advanced[d] internet activity logging software" designed to give users an "extensive and powerful internet monitoring experience".

The malicious software can inject itself into various processes and is capable of keystroke logging, stealing clipboard contents and extracting data from HTTP sessions, researchers said.

It can also execute commands from a command and control server including instructing the malware to download and execute additional files, start processes, shutdown and reboot the infected system as well as steal cookies and local passwords.

"One of the malware's most interesting features is that it reads Windows' ntdll.dll module from disk into memory, and calls its exported functions directly, rendering user-mode hooking and API monitoring mechanisms ineffective," FireEye researchers said in a blog post. "The malware author calls this technique 'Lagos Island method' (allegedly originating from a userland rootkit with this name).

"It also features a persistence method that randomly changes the path, filename, file extension, and the registry key used for persistence."

Researchers noted that the nefarious authors behind the malware do not sell the builder, but just access to the panel. The author then generates the executable files as a service with prices ranging from $29 a week to a $299 full-package "pro" deal.

In one instance, researchers said the FormBook malware was distributed via emails purporting to be from DHL, claiming the target had a package to pick up. The email instructed the user to download and print the attachment via a link in an attached PDF. Once clicked, the malicious payload is deployed.

According to FireEye, the malicious link has been garnered a total of 716 hits across 36 countries around the world.

In a second campaign, the malware was delivered via emails claiming to be invoices, contracts or orders with a Word or Excel document that includes a malicious hidden macro to deploy the FormBook payload.

In another campaign, the malicious payload was distributed using archive files such as ZIP, RAR, ACE, and ISO, which accounted for the highest distribution volume. Researchers said this campaign used different business-related subject lines often regarding payment or purchase orders.

"While FormBook is not unique in either its functionality or distribution mechanisms, its relative ease of use, affordable pricing structure, and open availability make FormBook an attractive option for cyber criminals of varying skill levels," researchers said. "In the last few weeks, FormBook was seen downloading other malware families such as NanoCore.

"The credentials and other data harvested by successful FormBook infections could be used for additional cyber crime activities including, but not limited to: identity theft, continued phishing operations, bank fraud and extortion."